Documentation

Other

Jamf Nation, hosted by Jamf, is the largest Apple IT management community in the world. Dialog with your fellow IT professionals, gain insight about Apple device deployments, share best practices and bounce ideas off each other. Join the conversation.

Configuration Profiles Reference

Overview

This article explains configuration profile settings that affect devices in a complex way or are unique to Jamf Pro.

Settings

Jamf Pro Versions Affected

Configuration Profile Type

Payload(s)

Setting

Description

10.9.0 or later

Computer

Privacy Preferences Policy Control

Jamf Pro allows you to configure settings to allow or deny access to applications and services within a target computer's Security & Privacy preference pane as part of the Privacy Preferences Policy Control profile.This feature is available in macOS 10.14 or later.

This payload allows you to define an app based on the Identifier and Code Requirement of the app. After you define the app, you can choose which application or service from the target computer's Security & Privacy preference pane that you want to deny or allow access to.For more information about the contents of the Privacy Preferences Policy Control profile, see the Preparing your Organization for User Data Protections on macOS 10.14 Knowledge Base article.

10.8.0 or later

Computer

CertificateSCEP

Preference Items

Allows you to configure a Certificate Preference or an Identity Preference by entering the locations (URLs) or email addresses for each preference item. You can include as many preference items as your environment requires.

This feature is available in macOS 10.12 or later.

Note: This setting is only available for user-level profiles.

10.6.2 or later

Mobile DeviceComputer

VPN

Enable VPN On Demand

Jamf Pro allows you to configure VPN On Demand rules that specify when and how devices are able to access your VPN services. To configure this feature, you must upload a configuration XML file that contains your rules. This feature is available for any supported VPN type.

The configuration XML file can contain one or more keys defined by the Apple configuration profile keys.

10.3.0 or later

Mobile Device

Home Screen Layout

Dock Layout/Page Layout

To add a web clip to the Dock or page layout on a mobile device with iOS 11.3 or later, you must also configure the Web Clips payload.

Important: The following settings must match the respective fields in both payloads:- The Display Name field in the Home Screen Layout payload must match the Label field in the Web Clips payload.- The Unique ID field in the Home Screen Layout payload must match the URL field in the Web Clips payload.

10.3.0 or later

Mobile DeviceComputer

SCEP

Subject text field

Jamf Pro automatically appends $PROFILE_IDENTIFIER in the Subject field in Jamf Pro if the Redistribute Profile option is configured.Important: To ensure the profile is redistributed before the SCEP-issued certificate expires, you must manually redistribute the profile to all computers and mobile devices that had the profile installed between Jamf Pro 10.0.0–10.2.x. If the appended identifier is not included in the Subject field of the SCEP payload, the profile is not redistributed before the certificate expires. Redistributing the profile to affected devices after upgrading to Jamf Pro 10.3.0 mitigates this issue.

9.101.0 or later

Computer

Security & Privacy

Recovery Key Encryption Method

Allows you to choose whether Jamf Pro will automatically encrypt and decrypt personal (also known as "individual") FileVault recovery keys.

There are two options:

Automatically encrypt and decrypt recovery key (default)

Key decryption—Key is automatically decrypted. If you choose this option, you do not need to configure a certificate in the Certificate payload when the Enable Escrow Personal Recovery Key option is enabled.

Key storage—Key is stored in Jamf Pro.

Viewing the recovery key—When you view the personal recovery key for a computer, the decrypted recovery key is displayed.

Manually specify encryption key

Key decryption—You must manually specify the encryption key to decrypt the FileVault recovery key. Manually specifying the encryption key requires a Certificate payload (.cer) included in the configuration profile. The certificate used to encrypt the personal recovery key must be specified in the Personal Recovery Key Encryption Certificate pop-up menu.

Key storage—Key is not stored in Jamf Pro.

Viewing the recovery key—When you view the personal recovery key for a computer, the encrypted recovery key is displayed. The encrypted key file will be base64- and CMS-encoded and is accessible when viewing management information for a computer by navigating to Management tab > FileVault 2 > Get FileVault 2 Recovery Key.

9.9 or later

Mobile Device

Home Screen Layout

Page Layout

Allows you to configure the content and layout for each page on the device.

Apps and web clips that are assigned to the device but are not added to the page layout are placed on the last page of the device in alphabetical order.

If a folder on the device is not added to the page layout, the apps within the folder are removed from the folder and are placed on the last page of the device. The folder is removed from the device.

9.98 or later

Mobile Device

Restrictions

Allow connection to unmanaged Wi-Fi networks

Allows you to prevent users from connecting to any Wi-Fi networks not deployed through Jamf Pro.

Warning: If left unchecked, and if at least one Wi-Fi payload is not configured on scoped devices through a configuration profile, devices may lose all network connectivity.

On iOS 9 or later—Devices must be supervised. When selected, the App Store is disabled and removed from the Home screen but apps from the App Store can still be installed and updated using Apple Configurator, iTunes, or Jamf Pro. When deselected, the App Store is still disabled and apps from the App Store can only be installed or updated using Jamf Pro.

On iOS 5–8—Supervision not required. When selected, the App Store is enabled and displayed on the Home screen. Apps from the App Store can be installed or updated using the App Store, iTunes, or Jamf Pro. When deselected, the App Store is disabled and removed from the Home screen. Apps from the App Store cannot be installed or updated using the App Store or iTunes but can be installed or updated using Jamf Pro.

9.8 or later

Mobile Device

Restrictions

Allow installing apps using App Store (iOS 9 only; supervised only)

Works on supervised devices with iOS 9 only.

When selected, the App Store is enabled and displayed on the Home screen. Apps from the App Store can be installed or updated using the App Store, iTunes, Apple Configurator, or Jamf Pro. (This excludes automatic downloads.)

When deselected, the App Store is disabled and removed from the Home screen but apps from the App Store can still be installed and updated via Apple Configurator, iTunes, or Jamf Pro.

9.2 or later

Computer

FileVault Recovery Key Redirection

Recovery Key Redirection

Unique to Jamf Pro.

Choose how you want the recovery keys to be redirected.

9.0 or later

Mobile DeviceComputer

SCEP

Display "Redistribute Profile" setting for this profile

Unique to Jamf Pro.

Select this checkbox if you want to display the Redistribute Profile setting in the General payload.

9.0 or later

Mobile DeviceComputer

General

Redistribute Profile

Unique to Jamf Pro.

Automatically redistributes the profile when its SCEP-issued certificate is the specified number of days from expiring.

8.6 or later

Mobile DeviceComputer

SCEP

Challenge Type

Unique to Jamf Pro.

The challenge password is used as the pre-shared secret for enrollment. There are three challenge type options:

Static - Use the same challenge password for each computer or mobile device.

Dynamic - Use a unique challenge password for each computer or mobile device. This option is for non-Microsoft CAs.The Dynamic option requires use of the Jamf API and membership in the Jamf Developer Program. Before selecting this option, contact your Jamf account representative to learn more about the Jamf Developer Program and the additional steps you need to take to use this option.

Dynamic-Microsoft CA - Use a unique challenge password for each computer or mobile device. This option is for Microsoft CAs only.

So how do you fix this if the box was unchecked and no wi-fi networks were configured? Now i have an iPad that cannot see any networks and cannot check for config changes because it is not able to see and connect to any networks.